Since 2004, a source for ranting, reviews and InfoSec news

Menu

Jailbroken Phones and Corporate Access

A month ago I posted an article titled Jailbreaking – Unsafe at Any Speed. That was about the need for companies to have policies against jailbreaking on corporate phones. Now I find myself in the position of writing policy to allow personal phones to connect to the Good server. I want to bring the same “no jailbreak” policy over to personal devices and I’m getting some pushback.

For those not familiar with Good, Good has an app for the phone. The app connects to the Good data center. A good server in our data center talks to the Good data center and our Exchange server. In terms of connections it is similar to Blackberry. The difference is the data is kept within a theoretically secure vault.

In every example of mobile phone policy or discussion of mobile data security it seems step one is don’t allow jailbreaking. Good has the ability to check for jailbroken phones and based on your config either exit the app or wipe the app.

Jailbreaking iPhones became a big thing for a while. People like to tinker. Is jailbreaking necessary anymore? Jailbreaking predates the appstore. Now the phrase “there’s an app for that” is a cultural meme. Jailbreaking was also used to get the phone onto unapproved carriers. iPhone is now available on Verizon, and a third carrier rumored soon. There is tethering, but now the phone company wants to sell that to you and will probably catch up with you if jailbreak to tether. iOS5 is rumored to be bringing in many of the features formerly only available through jailbreaking such as an approved “alert” system and wireless syncing. Facetime over 3g was also rumored for iOS5.

Jonathan A. Zdziarski made an impassioned plea for jailbreaking. It is no longer available on this blog, so I’m linking to archive.org. His argument is that DRM is bad, DRM is not security. He argues that attacks on jailbreaking are fear-mongering. Zdziarski wrote that blog post in opposition of Charlie Millers comments in 2009 that “if you care about security, you dont use a jailbroken iPhone.”

More recently, Charlie Miller commented about jailbreaking this August in an interview with Tom’s Hardware. “Yes, jailbreaking does weaken the security of the device by circumventing the security architecture as designed by Apple (code signing, running apps as user mobile in a sandbox, etc). ” In 2009, he was more bold stating , “The process removes around 80 percent of the security protections built into the phone’s software, making it more vulnerable.”

Saying jailbreaking is risky for an enterprise phone doesn’t mean it is the model of security if not jailbroken. The jailbreakme PDF exploit (now patched) used vulnerabilities in mobileSafari and IOKit to priviledge escalate. The SMS vulnerability Miller found was in the build in SMS software. Malicious software has made it through the vetting process into Apple’s AppStore.

People are free to do whatever they want with their own phones. But once you ask me to put corporate data on it, now I’m involved. I think we need to approach this with an abundance of caution. No matter how secure an app is it is relying on a untrustworthy operating system if that device has been jailbroken. If someone used privilege escalation to gain administrator on a corporate computer we wouldn’t say “glad that works better for you” and go about our day.

What does “vpn security” have to do with the capability to download programs?

In this post, I discussed jailbreaking, which is essentially a priviledge escalation attack using known system vulnerabilities. No corporation would allow their employees to make themselves administrator if policy said they couldn’t be.
Apps within the Apple AppStore world are held to be more secure because it is a walled garden. Breaking down that walled garden exposes all the dangers of the regular environment.
Computers normally have multiple layers of protection against malware. Tell me which antivirus product works on the iphone?

You may enjoy going bareback on the internet. That doesn’t mean everyone else in the world has to share that view. Particularly company owned phones. Companies must do their due diligence to protect their data assets.